On Tue, Nov 20, 2001 at 09:54:22AM -0600, Shawn wrote:
> I'm going to be installing Debian stable (woody?) in the next couple
> of days on my firewall/gateway machine. Dual NIC's, Pentium 120, 32MB
> ram. Is there anything in particular I need to watch out for?
Install the base system from the woody floppies. Woody is a minimum
requirement if you want to run Linux 2.4. The reason for this is that
the supporting system tools need to be upgraded from those present on
potato. I.e. modutils, mount, etc.
I usually go for the advanced installation option and bypass any task
selection, since they will likely install software you don't want or
need. Even then, I usually quit out of dselect or whatever front-end
they use and get to the shell prompt.
The tool to use is 'apt-get'. You probably won't have manpages
installed from the base install, so you might want those. I would
suggest the following:
bsdutils
psmisc (fuser, killall, pstree)
lsof (list open files... good diagnostics)
syslog-ng (nice replacement for sysklogd)
logrotate (not for syslog-ng, but for other software)
ssh (obvious reasons)
net-tools (familiar -- if not old -- ifconfig, route, etc.)
iptables
iproute (ip tool -- replaces route, ifconfig, etc)
manpages (optional)
snort (optional)
mrtg (optional)
iptraf (GREAT tool)
nmap (Excellent tool)
mtr (a very nice tracerouting tool for the console or gui)
traceroute
dnsutils (for host(1), dig(1), and family)
ntpdate (you likely don't need an ntp server running. ntpdate is a
nice client you can set up through cron to periodically
update the clock)
openssh (used for ssl)
oidentd (Give IRC servers fake identd responses, run from inetd)
xinetd (replace netkit-inetd superserver)
aide|tripwire (for diagnosing/detecting breakins)
nano (very simple editor)
vim (my favorite editor)*
ash (a minimalistic POSIX shell, a bit more compliant than bash)
cron (of course)
at (I'm not sure. I remember this being a security risk...anyone?)
ssmtp (very minimilistic SMTP client/sendmail nullclient replacement)
exim (also small, default SMTP server for Debian)
* ae(1) is installed by default and has multiple keybinding modes,
including wordstar, joe, emacs, pico, and vi. Essentially, this is
all you need.
That's a pretty good start. Here's a tip for setting all of these up
in a relatively simple and no-nonsense way. Use the following:
bash# echo "echo install" | dpkg --set-selections
bash# apt-get dselect-upgrade -u
If you want to install a bunch of packages, so something like:
bash# for i in package1 package2 package3 ; do echo "$i install" | \
bash> dpkg --set-selections; done
bash# apt-get dselect-upgrade -u
Or use a file:
#----- BEGIN FILE (CUT HERE) -----
package1 install
package2 install
package3 install
#------ END FILE (CUT HERE) ------
bash# dpkg --set-selections < installthesepackages
bash# apt-get dselect-upgrade -u
Once you have a running system, look at the manpages for interfaces(5),
ifup(8), ifdown(8). The interfaces file is located in /etc/network/ and
the run-parts directories (if-up.d, if-down.d, if-pre-up.d,
if-post-down.d) may contain executable scripts you would like to run per
event. One script I like to use is:
#! /bin/sh
# save my environment to a temp file
set > /tmp/ifupdown-env.$$
# EOF
You'll find some very useful environment variables from this. In
particular: IFACE, IF_ADDRESS, IF_NETMASK, IF_NETWORK, IF_BROADCAST,
IF_GATEWAY, and MODE. That allows fun scripts such as:
#! /bin/sh -e
#
# Set up forwarding
# source the config file
[ -f /etc/network/my_config ] && source /etc/network/my_config
EXTIF=${EXTIF:-eth0}
# If the interface is the external one, continue, otherwise exit.
[ "X${IFACE}X" == "X${EXTIF}X" ] || exit 0
# Set up forwarding
case $MODE in
start)
iptables -t nat -A PREROUTING -j DNAT -i $EXTIF \
-m multiport -p tcp --dports ftp,ssh,http,https
--to-address $MYSVR
;;
stop)
iptables -t nat -D PREROUTING -j DNAT -i $EXTIF \
-m multiport -p tcp --dports ftp,ssh,http,https
--to-address $MYSVR
;;
esac
# EOF
Alternately, you can specify these in your /etc/network/interfaces
directly.
# /etc/network/interfaces
auto lo eth0 eth1
...
iface eth0 inet static
address ...
...
up iptables -t nat -A PREROUTING ...
down iptables -t nat -D PREROUTING ...
# EOF
Good luck!
--
Chad Walstrom <chewie at wookimus.net> | a.k.a. ^chewie
http://www.wookimus.net/ | s.k.a. gunnarr
Key fingerprint = B4AB D627 9CBD 687E 7A31 1950 0CC7 0B18 206C 5AFD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20011120/4e522014/attachment.pgp